'\" t
.\"     Title: idmap_ldap
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: 10/24/2016
.\"    Manual: System Administration tools
.\"    Source: Samba 4.5
.\"  Language: English
.\"
.TH "IDMAP_LDAP" "8" "10/24/2016" "Samba 4\&.5" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
idmap_ldap \- Samba\*(Aqs idmap_ldap Backend for Winbind
.SH "DESCRIPTION"
.PP
The idmap_ldap plugin provides a means for Winbind to store and retrieve SID/uid/gid mapping tables in an LDAP directory service\&.
.PP
In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in order to create new mappings\&.
.SH "IDMAP OPTIONS"
.PP
ldap_base_dn = DN
.RS 4
Defines the directory base suffix to use for SID/uid/gid mapping entries\&. If not defined, idmap_ldap will default to using the "ldap idmap suffix" option from smb\&.conf\&.
.RE
.PP
ldap_user_dn = DN
.RS 4
Defines the user DN to be used for authentication\&. The secret for authenticating this user should be stored with net idmap secret (see
\fBnet\fR(8))\&. If absent, the ldap credentials from the ldap passdb configuration are used, and if these are also absent, an anonymous bind will be performed as last fallback\&.
.RE
.PP
ldap_url = ldap://server/
.RS 4
Specifies the LDAP server to use for SID/uid/gid map entries\&. If not defined, idmap_ldap will assume that ldap://localhost/ should be used\&.
.RE
.PP
range = low \- high
.RS 4
Defines the available matching uid and gid range for which the backend is authoritative\&.
.RE
.SH "EXAMPLES"
.PP
The following example shows how an ldap directory is used as the default idmap backend\&. It also configures the idmap range and base directory suffix\&. The secret for the ldap_user_dn has to be set with "net idmap secret \*(Aq*\*(Aq password"\&.
.sp
.if n \{\
.RS 4
.\}
.nf
	[global]
	idmap config * : backend      = ldap
	idmap config * : range        = 1000000\-1999999
	idmap config * : ldap_url     = ldap://localhost/
	idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
	idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
	
.fi
.if n \{\
.RE
.\}
.PP
This example shows how ldap can be used as a readonly backend while tdb is the default backend used to store the mappings\&. It adds an explicit configuration for some domain DOM1, that uses the ldap idmap backend\&. Note that a range disjoint from the default range is used\&.
.sp
.if n \{\
.RS 4
.\}
.nf
	[global]
	# "backend = tdb" is redundant here since it is the default
	idmap config * : backend = tdb
	idmap config * : range = 1000000\-1999999

	idmap config DOM1 : backend = ldap
	idmap config DOM1 : range = 2000000\-2999999
	idmap config DOM1 : read only = yes
	idmap config DOM1 : ldap_url = ldap://server/
	idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
	idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
	
.fi
.if n \{\
.RE
.\}
.SH "NOTE"
.PP
In order to use authentication against ldap servers you may need to provide a DN and a password\&. To avoid exposing the password in plain text in the configuration file we store it into a security store\&. The "net idmap " command is used to store a secret for the DN specified in a specific idmap domain\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
